CVE-2024-49934

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name<br /> <br /> It&amp;#39;s observed that a crash occurs during hot-remove a memory device,<br /> in which user is accessing the hugetlb. See calltrace as following:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790<br /> Modules linked in: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl_core crc32c_intel nvme virtiofs fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc s<br /> mirror dm_region_hash dm_log dm_mod<br /> CPU: 1 PID: 14045 Comm: daxctl Not tainted 6.10.0-rc2-lizhijian+ #492<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:do_user_addr_fault+0x2a0/0x790<br /> Code: 48 8b 00 a8 04 0f 84 b5 fe ff ff e9 1c ff ff ff 4c 89 e9 4c 89 e2 be 01 00 00 00 bf 02 00 00 00 e8 b5 ef 24 00 e9 42 fe ff ff 0b 48 83 c4 08 4c 89 ea 48 89 ee 4c 89 e7 5b 5d 41 5c 41 5d 41<br /> RSP: 0000:ffffc90000a575f0 EFLAGS: 00010046<br /> RAX: ffff88800c303600 RBX: 0000000000000000 RCX: 0000000000000000<br /> RDX: 0000000000001000 RSI: ffffffff82504162 RDI: ffffffff824b2c36<br /> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90000a57658<br /> R13: 0000000000001000 R14: ffff88800bc2e040 R15: 0000000000000000<br /> FS: 00007f51cb57d880(0000) GS:ffff88807fd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000001000 CR3: 00000000072e2004 CR4: 00000000001706f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ? __warn+0x8d/0x190<br /> ? do_user_addr_fault+0x2a0/0x790<br /> ? report_bug+0x1c3/0x1d0<br /> ? handle_bug+0x3c/0x70<br /> ? exc_invalid_op+0x14/0x70<br /> ? asm_exc_invalid_op+0x16/0x20<br /> ? do_user_addr_fault+0x2a0/0x790<br /> ? exc_page_fault+0x31/0x200<br /> exc_page_fault+0x68/0x200<br /> <br /> BUG: unable to handle page fault for address: 0000000000001000<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP PTI<br /> ---[ end trace 0000000000000000 ]---<br /> BUG: unable to handle page fault for address: 0000000000001000<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 1 PID: 14045 Comm: daxctl Kdump: loaded Tainted: G W 6.10.0-rc2-lizhijian+ #492<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:dentry_name+0x1f4/0x440<br /> <br /> ? dentry_name+0x2fa/0x440<br /> vsnprintf+0x1f3/0x4f0<br /> vprintk_store+0x23a/0x540<br /> vprintk_emit+0x6d/0x330<br /> _printk+0x58/0x80<br /> dump_mapping+0x10b/0x1a0<br /> ? __pfx_free_object_rcu+0x10/0x10<br /> __dump_page+0x26b/0x3e0<br /> ? vprintk_emit+0xe0/0x330<br /> ? _printk+0x58/0x80<br /> ? dump_page+0x17/0x50<br /> dump_page+0x17/0x50<br /> do_migrate_range+0x2f7/0x7f0<br /> ? do_migrate_range+0x42/0x7f0<br /> ? offline_pages+0x2f4/0x8c0<br /> offline_pages+0x60a/0x8c0<br /> memory_subsys_offline+0x9f/0x1c0<br /> ? lockdep_hardirqs_on+0x77/0x100<br /> ? _raw_spin_unlock_irqrestore+0x38/0x60<br /> device_offline+0xe3/0x110<br /> state_store+0x6e/0xc0<br /> kernfs_fop_write_iter+0x143/0x200<br /> vfs_write+0x39f/0x560<br /> ksys_write+0x65/0xf0<br /> do_syscall_64+0x62/0x130<br /> <br /> Previously, some sanity check have been done in dump_mapping() before<br /> the print facility parsing &amp;#39;%pd&amp;#39; though, it&amp;#39;s still possible to run into<br /> an invalid dentry.d_name.name.<br /> <br /> Since dump_mapping() only needs to dump the filename only, retrieve it<br /> by itself in a safer way to prevent an unnecessary crash.<br /> <br /> Note that either retrieving the filename with &amp;#39;%pd&amp;#39; or<br /> strncpy_from_kernel_nofault(), the filename could be unreliable.